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ABSTRACT OF THE DISCLOSURE 
SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE 
NETWORKS TO RESIST IP QoS DENIAL OF SERVICE ATTACKS 

A network architecture in accordance with the present invention includes a 
communication network that supports one or more network-based Virtual Private Networks 
(VPNs). The communication network includes a plurality of boundary routers that are connected 
by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from 
outside a customer's VPN (e.g., traffic from other VPNs or the Internet at large) from degrading 
the QoS provided to traffic from within the customer's VPN, the present invention gives 
precedence to intra- VPN traffic over extra- VPN traffic on each customer's access link through 
access link prioritization or access link capacity allocation, such that extra- VPN traffic cannot 
interfere with inter- VPN traffic. Granting precedence to intra- VPN traffic over extra- VPN 
traffic in this manner entails special configuration of network elements and protocols, including 
partitioning between intra- VPN and extra- VPN traffic on the physical access link using layer 2 
multiplexing and the configuration of routing protocols to achieve logical traffic separation 
between intra-VPN traffic and extra- VPN traffic at the VPN boundary routers and CPE edge 
routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, 
and the routing protocols of the edge and boundary routers in this manner, the high-level service 
of DoS attack prevention is achieved. 


